Mailinglist Archive: opensuse-buildservice (138 mails)

< Previous Next >
Re: [opensuse-buildservice] v4 signs in obs-signd
On Tue, Feb 02, 2016 at 01:23:05PM +0100, Miroslav Suchy wrote:
Dne 2.2.2016 v 12:00 Michael Schroeder napsal(a):
Well, the easiest way is to just use V3 if files_are_digests is
used. I.e. force sig->version to 3 in gpg's write_signature_packets()
function.

But the code is not there anymore. See "Removal of PGP-2 support":
https://www.gnupg.org/faq/whats-new-in-2.1.html
and the actual code of pgp2.

What code is no more? gnupg-2.1.10 still has a write_signature_packets
function AFAICS. You just need to change the code from

if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
else
sig->version = pk->version;

to

if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
else if (opt.files_are_digests)
sig->version = 3;
else
sig->version = pk->version;

Untested, though. Maybe duration is set, in that case you need to
move the opt.files_are_digests check.

I investigated it a little bit and RHEL5 (rpm-4.4.2.3) and older are
unable to work with v4, while RHEL6+ (rpm-4.8.0) can work with v4 signs.
IIRC the SLES 12 use rpm-4.11.2 and SLES 11 use rpm-4.4.2.3.
So until RHEL5 is outdated (31 March 2017) and SLES 11 is outdated (31
Mar 2019) we need to use v3 signs.

Yes, seems like there were some problems with 2048/4096 bits and v4 sigs
(https://bugzilla.redhat.com/show_bug.cgi?id=436812).
So yes, rpm-4.8 should be ok for v4 sigs.

Cheers,
Michael.

--
Michael Schroeder mls@xxxxxxx
SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >